Uber Breached its Privacy Obligations to Users

Uber Breached its Privacy Obligations to Users

The Office of the Australian Information Commissioner has found that Uber failed to protect the personal data of Australians following a cyber-attack in 2016. Uber had been able to prevent the attack and subsequently paid the attackers a reward in exchange for the destruction of the data. The Commissioner conducted an investigation into whether Uber’s preventative measures complied with the Privacy Act 1988 (Cth) (‘Privacy Act’).

Do Australian Privacy Laws apply to International Companies?

Uber does not have a head office in Australia and therefore has no physical presence in Australia. As such, it did not have a direct contractual relationship with Australian drivers or passengers when the data breach occurred. Uber claimed that it was not subject to the requirements under the Privacy Act. However, the Commissioner determined that as Uber carried out business in Australia, section 5B(1A) of the Privacy Act applied. This section extends the operation of the Privacy Act extra-territorially to the acts of organisations which engage in Australia, despite being registered or having their physical presence outside Australia.

How did Uber breach the Privacy Act?

 In their findings, the Commissioner determined that Uber failed to comply with three Australian Privacy Principles (APPs). We have written a previous article explaining these principles in more detail. In this case, the main breaches were:

  • APP 11.1, which requires an entity to ‘take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss and [to protect the information] from unauthorised access, modification or disclosure’.
  • APP 11.2, which requires an entity that no longer needs personal information it holds to ‘take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de- identified’.
  • APP 1.2, which requires an entity to take reasonable steps to ‘implement practices, procedures and systems relating to the entity’s functions or activities that will ensure’ compliance with the APPs and will enable inquiries or complaints to be dealt with.

As a consequence of these breaches, the Commissioner ordered Uber to implement a comprehensive data retention and destruction policy, an information security program and an incident response program to ensure that they can comply with the APPs moving forward. However, no fines were imposed on the organisation.

This decision has made clear that global corporations will be held liable under Australian privacy laws even if customers’ personal information is retained overseas. It is also important to note that Uber has faced proceedings in other jurisdictions including the United Kingdom for similar breaches, and where monetary sanctions were imposed.

How Etheringtons Solicitors can help

The findings of the Commissioner are a timely reminder of the importance of both inter and intra-national entities who operate within Australia to ensure they are meeting their obligations when dealing with personal information. If you require assistance with understanding privacy obligations, do not hesitate to get in contact with our experienced team by calling (02) 9963 9800 or via our contact form.

Protect Your Business From Domain Hijacking

Protect Your Business From Domain Hijacking

The internet remains one of the most indispensable marketing tools for businesses, and a domain name is a valuable intellectual property. However, domains are susceptible to being altered with malicious intent. Domain hijacking is one of the most relevant examples for this in our digital world. This article will help you understand what domain hijacking is and will take you through the different steps that should be taken to help you to protect yourself from the crime.

What is a ‘domain name’?

A domain name refers to a website address purchased from a Domain Registrar or from a hosting provider which provides the purchaser access to settings that control the domain usually for a fee. It allows businesses to uniquely distinguish their website source from other website sources. For example, ‘etheringtons.com.au’ is the domain name of Etheringtons Solicitors and allows our clients and broader community to easily identify our website and our services.

Domain names in Australia can be registered through the .au Domain Administration Registry. Before you can register the domain name that will appear on your website, you must ensure that:

  • Your domain name is available (meaning it is unique and not currently owned by another person or business); and
  • You have a valid Australian Company Number (ACN) or valid Australian Business Number (ABN).

What is domain hijacking?

Domain hijacking, also known as domain theft, is the act of changing the registration of a domain name without the permission of its rightful owner. This unauthorised type of cyber-attack causes web-addresses of organisations to be stolen without that organisation’s consent, predominantly through identity theft measures or phishing emails.

This allows the hijacker to alter account information and redirect online traffic to their own websites, which often are linked with the sale of counterfeit goods or black market operations. Therefore, losing access to your domain can be extremely detrimental to a business, especially those that run predominately e-commerce operations, as a domain name forms an important aspect of intangible property.

Recovering a hijacked domain name

If you are concerned that your domain name has been illegally hijacked, there are a number of actions you can take. These include:

  • Confirming if the domain name was hijacked: if your domain name does not open to your website, it is easy to assume that somebody has hijacked the domain name. However, there are a number of reasons why a website may not appear, such as the domain owner failing to renew the domain name before expiry, or technical issues with the website hosting.
  • Check your computer for malware, viruses and update security credentials.
  • Getting in touch with your domain registrar: For example, the .au Domain Administration Registry can be contacted online through a general inquiry form.
  • Checking the WHOIS records on the domain to determine who owns the domain name and if ownership has changed.
  • Seeking legal advice and contacting a dispute resolution provider: Solicitors can launch a complaint on your behalf with the AU Dispute Resolution Policy (AUDRP) or Uniform Dispute Resolution Policy. These are specialised bodies which are tailored to handle domain disputes and complaints in a cheaper and more efficient way than litigation.

What steps can you take to protect yourself and your business?

There are a few precautionary steps that you can take to prevent your domain name from being susceptible to hijacking or other illegal activity. These include:

  • Registering the domain name for an extended period and setting renewal reminders;
  • Increasing the security by locking the domain name so it cannot be transferred without a password. For example, the AusRegistry or database for domains ending in .com.au, has a security measure called .auLOCKDOWN which allows owners to lock their domain name records and prevent unauthorised changes; and
  • Always using multi factor authentication to protect your accounts.

How Etheringtons Solicitors can help

A solicitor at Etheringtons Solicitors can provide clarification of the relevant law in relation to your individual circumstances. If you need further advice or assistance with domain hijacking or other business law matters, please contact one of our experienced solicitors on (02) 9963 9800 or via our contact form.

Non-Fungible Tokens (NFTs) and Ownership

Non-Fungible Tokens (NFTs) and Ownership

The digital landscape of cryptocurrency has drastically evolved with the emergence of NFTs. In 2021, businessman Sina Estavi purchased Twitter founder Jack Dorsey’s first-ever tweet for over $2.8m. Despite this recent surge in crypto-asset investment, however, the Australian Government has not yet directly addressed the regulation of NFT ownership. In this article, we aim to explore what it means to own an NFT and also identify how Australian law currently regulates this new form of currency.

What is a NFT?

“NFTs”, or “Non-fungible tokens” are units of data that are validated and stored in a blockchain; a cryptographic digital ledger. NFTs are capable of digitally representing any tangible or intangible asset ranging from digital artwork and domain names, to event tickets and real estate.

Unlike other cryptocurrencies such as Bitcoin, NFTs are entirely unique and cannot be replaced or replicated. The unique identity of NFTs ensures that the authenticity of digital assets can be verified. This assists in tracking the ownership of assets and reducing the probability of fraud.

Ownership of a NFT

When buying NFTs, owners are assigned a private key which is stored within a digital wallet and used to verify their proof-of-ownership. This private key is used by NFT owners to prove that their token is an authentic copy of the original asset.

NFT creators are issued a public key that is permanently recorded in the token’s metadata and made transparent in the NFT blockchain. This key serves as a certificate of authenticity that proves a NFT was created by a particular individual. On some platforms, creators may earn royalties when their NFTs are sold.

Ownership rights may only be transferred when written in a contract between parties. The scope of rights entitled to an owner is contingent upon the terms and conditions contained within the written agreement.

Why can’t I just copy and paste?

NFT ownership is seemingly unnecessary when a digital asset can be copied, downloaded or streamed for free. Whilst anyone may digitally access and screenshot NFTs, it does not mean that they are entitled to the rights of the original digital artefact.

The more frequently Jack Dorsey’s first-ever tweet is shared online, for example, the more market value the digital asset accrues. If a person were to capture a screenshot of Jack Dorsey’s tweet, they will not be granted any ownership rights because the screenshot does not have a unique key. Without this key, the screenshot cannot be recorded on the blockchain and claimed as an authenticated copy of the original tweet.

Is there legislation regulating the buying and selling of NFTs?

According to the Final Report released by the Senate in October 2021, ‘digital assets are generally not prescriptively regulated in Australia’.

In spite of this gap in governmental regulation, digital assets fall under the definition of a “financial product” within s763 of the Corporations Act 2001 (Cth). This means that many NFTs and crypto-assets exist within the scope of the Australian Securities & Investment Commission’s (ASIC) regulatory framework. ASIC stipulates that individuals or companies which purchase or sell digital assets must hold an Australian Financial Services Licence or, dependant on the circumstance, an Australian Market Licence.

What to look out for when buying or selling NFTs

It is important to consider the following when investing in NFTs:

  • Counterfeits and scammers are apparent on online trading platforms. To avoid misleading or deceptive conduct, verify the true identities of NFT owners.
  • The terms and conditions of blockchain platforms may impose restrictions on the rights of sellers and buyers. These terms will determine the buyer’s scope of ownership rights and may impinge on upon the rights of the copyright owner.
  • You may be obligated to pay tax on capital gains. Be aware of the tax implications of buying or selling digital assets by visiting the Australian Taxation Office website.

To learn more about how Australian law applies to NFTs and other crypto-assets, please visit the ASIC website.

How Etheringtons Solicitors can help

A solicitor at Etheringtons Solicitors can provide clarification of the relevant law and its relation to your individual circumstances. If you need further advice or assistance with intellectual property ownership, please contact one of our experienced solicitors on (02) 9963 9800 or via our contact form.

Who owns the emails you send at work?

Who owns the emails you send at work?

Workplace surveillance and email monitoring have become the norm in organisations across Australia. However, many employees still do not understand their obligations or their rights when it comes to the use of computer technology in the workplace. Another issue arising out of the use of digital communication in the workplace is who owns correspondence that is sent from a work address?

The tension between an employee’s privacy and any potential restraint of trade conditions or copyright issues continue to be a source of contention in employment law, causing confusion for both parties. This blog will provide an overview regarding the law surrounding privacy and workplace surveillance, however if you are affected by this issue it is important to seek out legal advice.

Workplace Surveillance

The Workplace Surveillance Act 2005 (NSW) provides that a policy must be in place for an employer to undertake workplace computer surveillance. Employees must be given notice of that policy. Commonly, employers include a notice of surveillance in a new employee’s contract. However, if employers are introducing computer surveillance into the workplace they must provide employees at least 14 days written notice.

Under the Act the notice must include:

  • the kind of surveillance to be carried out (i.e. computer, camera or tracking surveillance)
  • how the surveillance will be carried out
  • when the surveillance will start
  • whether the surveillance will be continuous or intermittent; and
  • whether the surveillance will be for a specified limited period or ongoing.

What does the Privacy Act 1988 say?

The Privacy Act 1988 (Cth) is the national legislative body for regulating the handling of personal information by government agencies and organisations. The Australian Privacy Principles (APP) are enshrined in this Act, specially Principle 12, which states that if an APP entity (which includes Government agencies and private organizations) holds personal information about an individual, the entity must, on request, give the individual access to the information. It is worth noting that the Act itself does not distinctively cover surveillance in the workplace.  The employee records exemption under this Act provides an exemption to adherence to the APP for employers in certain circumstances. This means that employers are allowed to collect and store employee’s personal information if it is directly related to the employee-employer relationship, or if it forms part of an employee record.

However, employers should not assume that all the information they hold that relates to an individual employee would constitute an employee record. For example, the Office of the Australian Information Commissioner (OAIC) have given the example of financial correspondence received into an employee’s work email account. Whilst an employee’s bank details may fall within the meaning of ‘employee record’, the specific emails and their contents that an employee receives from their financial institution that is sent to their work email account, may not necessarily be part of an ‘employee record’ as it may not relate to the employment of the employee. Whether or not the content of emails sent or received by an employee forms part of their ‘employee record’ will always depend on the circumstances and you should seek advice regarding your particular case.

How do I know if my employer can view emails sent from my company email address?

If an employer has given notice that workplace emails are or can be placed under surveillance, then it is quite likely that your employer can view emails sent from your company email address. Most organisations have privacy and workplace surveillance policies that stipulate when and why your emails might be viewed by an employer.

If you are disputing your right to access to your personal emails on your work email accounts, the OAIC may have the jurisdiction to hear your complaint if you are arguing that the emails fall out of the employee record exemption prescribed in the Privacy Act. However, as mentioned previously, this is determined on a case by case basis and the law surrounding this area remains somewhat ambiguous. If you are unsure, it is best to seek legal advice. The team at Etheringtons Solicitors are skilled in employment law and are ready and willing to assist you with your enquiry.  If you would like further information, please do not hesitate to contact one of our experienced solicitors on 9963 9800 or via our contact form. For more articles, please see our blog here.

Are electronic signatures the new norm? COVID-19: Executing Contracts and Deeds.

Are electronic signatures the new norm? COVID-19: Executing Contracts and Deeds.

With increased safety precautions of social distancing and restricted business opening hours in place, many employees are working from home. One consequence is that many projects may stall if there is an inability to sign contracts that require renewal or documents to complete transactions. This raises the question of how company contracts can be signed remotely and what are the risks. Are electronic signatures a solution?

What is an electronic signature?

A broad definition is that it is a visible representation of a person’s name or mark, placed by a person in a communication or on a document to indicate their assent. This may range from a typed name of the sender, a scanned image of a handwritten signature or clicking “I agree”. Each has a varying level of security and encryption, which may be vulnerable to copying and tampering.

General agreements

Under common law, an agreement can be in electronic form and executed electronically. There is additional validation from the Electronic Transactions Act 2000 (NSW) if the signature complies with specific conditions relating to the identity of the person, reliability of the signing method, and consent of the person to whom the signature is given. The law does not provide guidance on how electronic and attestation of documents should take place, and there still remain circumstances in which parties and lawyers are unwilling to accept electronic signatures.

Execution of documents by companies – section 127 of the Corporations Act

There are specific requirements for companies signing agreements. Ordinarily, a common seal can be affixed to the document and be witnessed by two directors or one director and a secretary. It can be signed without a seal but again by two directors or one director and a secretary. In the current circumstances, there are ways to manage the risks surrounding electronic execution of company documents. The people requiring signatures should obtain evidence that the person signing the document is actually authorised to sign the document electronically. The parties should ensure that there are no limitations as to the mode of execution by checking the board minutes, corporate constitutions and powers of attorney, and ensuring that the ASIC records and the identities of the directors and secretaries are verified. Companies should consider appointing a power of attorney as a power of attorney can electronically execute agreements on behalf of a company.

Conveyancing contracts

The Conveyancing Act permits deeds to be created in electronic form, and to be electronically signed and attested. The Act also states that documents relating to land interests can be electronic and signed electronically. It is important to note that the operation of other requirements in the Conveyancing Act will continue to apply to contracts or deeds whether they are electronic or on paper. It is important that you obtain proper legal advice before you enter into a conveyancing contract.

Execution of deeds

The law is settled that a document can be witnessed electronically. This will only be valid if the witness was physically present at the time the electronic deed was electronically signed by the signatory and the witness electronically signed the same document at the same time as the signatory. Unfortunately, this means that attestation cannot be conducted by teleconference or signed at a later time, presenting the same logistical requirements as witnessing a paper document.

Conclusion

In the absence of clear authority, we recommend a conservative approach to minimise risk and prevent one or more parties from suffering loss. If a document can only be executed electronically, then try avoiding a deed and instead use an agreement because a deed does not require a consideration (payment) but an agreement does. Therefore, you can look at whether consideration has been given in order to determine validity of a document.

Further information

It is important to be fully aware of your obligations and options in your contractual arrangement during difficult times such as COVID-19. If you would like further information regarding the impact on your business or simply corporate and contract law advice, please do not hesitate to contact one of our experienced solicitors on 9963 9800 or via our contact page.

More information about COVID-19 can be found here: www.health.gov.au

 

Mobile Apps – Common Intellectual Property Disputes

Mobile Apps – Common Intellectual Property Disputes

Are you a mobile app developer or someone contracting with a developer to make mobile apps? Are you having issues as to who owns what when the work is done, or even before it is done? You are not alone. This article aims to set out briefly some of the common copyright disputes that arise, what the law says, and what the process is for resolving these sorts of disputes.

Common disputes about mobile apps

Increasingly these days, we are seeing more and more mobile applications (apps) being developed for many different purposes. From tax lodgment to payroll, to apps for finding a lawyer or the best restaurant, the possibilities are endless. Businesses in all sectors are attempting to provide goods and services differently, and mobile app developers are helping them do it.

Sometimes, issues may arise between developers and their clients as to who owns the underlying data while the app is being developed. A dispute might arise when the project is complete, and the client may withhold payment. Developing an app can take months and even years and often agents are involved between the client and the app developer. Clients might change their mind and decide to take a half finished app to another developer to finish the project. Clients may assert that the app, and the intellectual property therein, is theirs, and may even withhold payment to their developer until the app, typically the source code underlying it, is given to them so that the app can be taken to another (less expensive) developer to finish. But really, who ‘owns’ it?

What the law says

The first place to look for answers to this question is the Copyright Act 1968. Under section 10, a “computer program” is included in the definition of a “literary work”. Under section 32, copyright of a literary work is effective if it was made in Australia by a suitably qualified author, even if it has not been published yet. Under section 35, the author owns the work. Lastly, section 196 tells us that ownership of copyright can be assigned (‘passed on’) to someone else, but an agreement to do so must be in writing.

Case law gives us some guidance as to what happens if you don’t have a written agreement or if the agreement is silent or vague as to the ownership. They tell us that if a business client asks for the app (usually in the form of its source code) to be given to them, a term will be implied to allow this to happen. This is particularly the case where the business client is paying for the design and manufacture of the app, and where, objectively, there is no real expectation that the developer should retain the app/its source code for itself or for the benefit of a competitor of the business client.

Arguments may also be made that the app developer only has a license to the app, which essentially means that the proper owner is the business client, not the developer.

Beyond Copyright

What about after the project has finished and the invoice has been paid in full? Can ideas, formulas and know-how which the app developer gained while working on its client’s app be used elsewhere? For example, the intangible ideas, formulas and know-how gained from a tax lodgment app – can you use these when working for another client looking to develop another finance or accounting app? Can the client come back and sue the app developer for IP infringement?

Resolving your dispute

Both the Supreme Court of NSW and the Federal Court of Australia can hear disputes concerning intellectual property. The starting point is your agreement. Without a written agreement, the dispute resolution process can be both complex and expensive.

The best advice before starting work on a mobile app is to agree in writing who will own what when the work is done, and at various stages of the work’s development.

Seek Legal Advice

Whether you’re a business or an app developer, if you have having issues around your app and its creation, we can provide additional information and advice to you regarding your situation. If you would like to discuss your concerns with a legal professional please contact us on (02) 9963 9800 or at [email protected]